SonarQube Integration in Android Application (Part 1)

Delivering high-quality code is the topmost priority of all the developers. To ensure this, developers try to make code that is clear, maintainable in the long run, scalable, refactored from time to time, etc. But the need for improvement is always there as some parameters might get ignored while developing or at the time of peer code review.

To overcome this situation and deliver high-quality code we integrate quality check tools like SonarQube, Lint, FindBugs, PMD, etc. that can do an Automatic code review with every release.

What is an Automatic Code Review Tool?

• Automated code-review tool checks source code for compliance with a predefined set of rules or best practices.
• It will drastically reduce the time and effort while ensuring better overall quality and performance for large complex applications
• It offers the ability to identify common vulnerabilities before an application is released or implemented

Why is an Automatic Code Review Tool Required?

• Tracks bugs and vulnerabilities
• Gate-keeper if a new vulnerability is introduced
• Keeps track of a large number of bugs

Scope

1. What is SonarQube?
2. Why an automatic code review tool required?
3. Why use SonarQube?
4. Getting Sonar Local Server up and running
5. Integrating SonarQube in Android Application
6. Publishing Android Application reports on Sonar Server

Prerequisites

• Android development experience (SDK, library usage, gradle etc.)

Series Pit Stops

• Part 1- SonarQube Integration in Android Application (you’re here)
• Part 2- Publishing Android ApplicationUnit Test Report on SonarQube

1. What is SonarQube?

As per the official documentation, “SonarQube is an automatic code review tool to detect bugs, vulnerabilities and code smell in your code”. It empowers developers to write cleaner and safer code and detects the overall health of the platform.

3. Why use SonarQube?

• SonarQube offers code-quality management by suggesting what is wrong and helps you put it right
• It provides a clean dashboard to address bugs, coding rules, test coverage, API documentation, code duplication, complexity, and many more things
• It gives you the snapshot of today’s code quality as well as tells you what went wrong and what’s likely to go wrong in future
• Other code quality tools focus mainly on bugs and complexity but Sonar covers 7 sections of code quality:- Architecture and design, unit tests, duplicated code, potential bugs, complex code, coding standards, and comments

So, what all things we require to view our SonarQube reports:-

a. Sonar Server (for publishing reports)

b. Android Application (for SonarQube integration)

4. Getting Sonar Local Server

a. We need to first install Docker in our local machine first before installing SonarQube. For Docker installation, visit “https://hub.docker.com/editions/community/docker-ce-desktop-mac”. Login/Create Account to download Docker

b. Once you have installed Docker, its time for SonarQube installation

c. Open terminal in Mac(Command + Space) and type “docker pull sonarqube:7.5-community” and press ENTER

d. “docker ps -a”, press ENTER (this will give the list of containers running within Docker, there should be none if you have done SonarQube Docker installation for the first time)

e. “docker run -d — name sonarqube -p 9000:9000 sonarqube:7.5-community”, press ENTER

f. “docker ps -a”, press ENTER (now it should give you one row with SonarQube running)

g. Now, the SonarQube should be up and running. To test, visit “http://localhost:9000/”

h. Login with credentials Username — “admin” and Password — “admin”

i. Generate a token for your Android Application by providing a name for your token

j. Save the token. You will need it later in configuring Android Application for running SonarQube

5. Integrating SonarQube in Android Application

a. In Project’s build.gradle file, add Sonar plugin at top:-

apply plugin: "org.sonarqube"

b. Add classpath dependencies within buildscript (buildsccript -> dependencies)

classpath "org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.7.1"

c. After Step 1 and 2, hit “Sync Now”

d. SonarQube is added in Android Application, its time to do the basic configuration for SonarQube. Replace PROJECT-NAME and PROJECT-KEY with the name of your Android Application

sonarqube {
    properties {
        property "sonar.projectName", "$PROJECT-NAME"
        property "sonar.projectKey", "$PROJECT-KEY"
        property "sonar.tests", ["src/test/java"]
        property "sonar.test.inclusions", "**/*Test*/**"
        property "sonar.sourceEncoding", "UTF-8"
        property "sonar.sources", "src/main/java"
        property "sonar.exclusions", '**/*Test*/**,' +
                '*.json,' +
                '**/*test*/**,' +
                '**/.gradle/**,' +
                '**/R.class'
               }
          }

P.S.- if any file within the module needs to be excluded, you should mention it in “sonar.exclusions”.

e. Hit “Sync Now”

That's it. You have integrated SonarQube in the Android App.

6. Generating and Publishing Android Application Report on Sonar Server

a. To generate a report, we need to run a Gradle command:-

./gradlew sonarqube -Dsonar.host.url=http://localhost:9000/ -Dsonar.login=$REPLACE_WITH_GENERATED_TOKEN

b. You can see the execution of the command in Terminal:-

c. Visit “http://localhost:9000/projects” after the build is successful

REFERENCES

• https://en.wikipedia.org/wiki/Automated_code_review
• https://docs.sonarqube.org/latest/
• https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-gradle/
• https://vizteck.com/blog/benefits-using-sonarqube/

What’s Next?

On the next pit stop, we’ll learn about Publishing Android ApplicationUnit Test Report on SonarQube.

Publishing Android ApplicationUnit Test Report on SonarQube (Part -2)